[kismac] Re: Some interesting tidbits
- From: "Michael Miller" <1337mail@xxxxxxxxx>
- To: kismac@xxxxxxxxxxxxx
- Date: Wed, 12 Sep 2007 23:17:05 -0400
Unfortunately no. First off, I don't have a ton of time on my hands(I
really have near no free time, not exaggurating). Second of all, I
lack driver programming experience(specifically IOKit).
I did have a conversation with someone who stated that it would be
possible to inject packets by simply opening a socket with the driver
and writing the binary data for packets to the socket interface.
Perhaps someone wants to investigate this further?
Also, note that kismet(not kismac) supports passive sniffing on all
AirPort cards under darwin(Mac OSX).
I'd be happy to help out anyone by explaining what I already know, but
don't expect anything usable for a while.
Sorry,
Mike
On 9/12/07, Wouter Minderhoud <wouter@xxxxxxxxxxxxxx> wrote:
> Hi Michael,
>
> any progres on the HAL ???
>
> i am very anxious and curious about the progress......
>
> cheers!
>
>
>
> Op 3-sep-2007, om 21:46 heeft Michael Miller het volgende geschreven:
>
> For those of you who don't know, Apple started including Atheros
> 802.11n chipsets in new Macs(not iMacs, but Macbook Pros, and (I
> think) Mac Pros). These are based around the same HAL(hardware
> abstraction layer) as the Linux (partially open source) Atheros
> driver. Thus, since we know how the HAL works(it is closed source, but
> the interfaces are documented), we can possibly gain
> injection/sniffing on any Atheros chipset. This is a possibility, but
> if it can be done, it will be great.
>
> Now for the good stuff ;). I looked through
> /System/Library/Extensions/IO80211Family.kext/Contents/PlugIns/
> AirPortAtheros.kext/Contents/MacOS/AirPortAtheros.
> The main problem is that the startraw function is missing(I know very
> little about how the HAL works, so please, if you know anything about
> this, let me know.). However, I did manage to get some interesting
> symbols showing that the Mac OS driver is based around the HAL.
> Because the madwifi project is based around it, perhaps we can create
> a wrapper driver with raw capabilities. Now for the interesting
> symbols:
>
> Atheros-related functions(grep _ath):
> __Z21ath_copy_scan_resultsPvPK20ieee80211_scan_entry
> __ZN15IORegistryEntry13childFromPathEPKcPK15IORegistryPlanePcPi
> __ZN15IORegistryEntry17matchPathLocationEPKcPK15IORegistryPlane
> __ZN18AirPort_Athr5424ab19getPktlogClientAddrEP15ath_pktlog_info
> __ZNK15IORegistryEntry16getPathComponentEPcPiPK15IORegistryPlane
> __ZNK15IORegistryEntry7getPathEPcPiPK15IORegistryPlane
> __ZZN18AirPort_Athr5424ab19getPktlogClientAddrEP15ath_pktlog_infoE8__fun
> c__
> _ath_CCAThreshold
> _ath_add_regclassid
> _ath_addba_ignore
> _ath_aggr_addba_requestprocess
> _ath_aggr_addba_requestsetup
> _ath_aggr_addba_responseprocess
> _ath_aggr_addba_responsesetup
> _ath_aggr_addba_timertimeout
> _ath_aggr_ba_requestsetup
> _ath_aggr_delba_process
> _ath_aggrackMPDU
> _ath_aggraddMPDU
> _ath_aggrcreateMPDU
> _ath_aggrfmax
> _ath_aggrmovebaw
> _ath_aggrqmin
> _ath_aggrresetMPDU
> _ath_ampdu_rxq_postprocess
> _ath_ampdu_rxq_preprocess
> _ath_ampdu_tx_release
> _ath_attach
> _ath_bad_rxbuf
> _ath_bad_rxdesc
> _ath_bar_tx
> _ath_beacon_config
> _ath_beacon_free
> _ath_beacon_proc
> _ath_beaconq_config
> _ath_bgscan
> _ath_calcrxfilter
> _ath_calibrate
> _ath_calinterval
> _ath_chan2flags
> _ath_chan_change
> _ath_countrycode
> _ath_debug
> _ath_desc_free
> _ath_descdma_cleanup
> _ath_descdma_setup
> _ath_detach
> _ath_draintxq
> _ath_dupie
> _ath_ff_always
> _ath_forcebad_rx
> _ath_getchannels
> _ath_hal_6mb_ack
> _ath_hal_additional_swba_backoff
> _ath_hal_attach
> _ath_hal_buildopts
> _ath_hal_chan2wmode
> _ath_hal_checkchannel
> _ath_hal_clksel
> _ath_hal_computetxtime
> _ath_hal_delay
> _ath_hal_dma_beacon_response_time
> _ath_hal_eepromDetach
> _ath_hal_enableTPC
> _ath_hal_ether_sprintf
> _ath_hal_forceBias
> _ath_hal_free
> _ath_hal_getChanNoise
> _ath_hal_getTxQProps
> _ath_hal_get_regdmn
> _ath_hal_getantennareduction
> _ath_hal_getcapability
> _ath_hal_getcc
> _ath_hal_getccstr
> _ath_hal_getdiagstate
> _ath_hal_getnfcheckrequired
> _ath_hal_getuptime
> _ath_hal_getwirelessmodes
> _ath_hal_init_channels
> _ath_hal_is_valid_country_code
> _ath_hal_ispublicsafetysku
> _ath_hal_japan_checkeeprom
> _ath_hal_mac_clks
> _ath_hal_mac_usec
> _ath_hal_malloc
> _ath_hal_maxTPC
> _ath_hal_memcmp
> _ath_hal_memcpy
> _ath_hal_memzero
> _ath_hal_mhz2ieee
> _ath_hal_ppmupdate
> _ath_hal_printf
> _ath_hal_probe
> _ath_hal_process_noisefloor
> _ath_hal_readEepromIntoDataset
> _ath_hal_reg_read
> _ath_hal_reg_write
> _ath_hal_reverseBits
> _ath_hal_setTxQProps
> _ath_hal_setcapability
> _ath_hal_setupratetable
> _ath_hal_setvendor
> _ath_hal_soft_eeprom
> _ath_hal_sort
> _ath_hal_sw_beacon_response_time
> _ath_hal_update_regdomain
> _ath_hal_version
> _ath_hal_vprintf
> _ath_hal_wait
> _ath_init
> _ath_intr
> _ath_ioctl
> _ath_ioctl_pktlog
> _ath_key_alloc
> _ath_key_delete
> _ath_key_set
> _ath_key_update_begin
> _ath_key_update_end
> _ath_keyprint
> _ath_keyset
> _ath_led_blink
> _ath_led_done
> _ath_led_event
> _ath_led_off
> _ath_media_change
> _ath_newassoc
> _ath_newstate
> _ath_node_alloc
> _ath_node_cleanup
> _ath_node_free
> _ath_node_getrssi
> _ath_outdoor
> _ath_pktlog_attach
> _ath_pktlog_detach
> _ath_pktlog_getbuf
> _ath_pktlog_rcfindfunc
> _ath_pktlog_rcupdate
> _ath_pktlog_rx
> _ath_pktlog_text
> _ath_pktlog_text
> _ath_pktlog_txctl
> _ath_pktlog_txstatus
> _ath_postprocess_bf
> _ath_ppmupdate
> _ath_rate_attach
> _ath_rate_detach
> _ath_rate_findrate
> _ath_rate_maprix
> _ath_rate_newassoc
> _ath_rate_newstate
> _ath_rate_node_cleanup
> _ath_rate_node_init
> _ath_rate_setup
> _ath_rate_setupxtxdesc
> _ath_rate_tx_complete
> _ath_recv_mgmt
> _ath_regdomain
> _ath_reset
> _ath_resume
> _ath_rx_proc
> _ath_rxbuf_init
> _ath_rxbuf_shift
> _ath_rxbuftimeout
> _ath_rxnodeq_timeout
> _ath_scan_end
> _ath_scan_start
> _ath_set11dcountry
> _ath_set_channel
> _ath_set_mac_address
> _ath_setcurmode
> _ath_setdefantenna
> _ath_setdefaultcc
> _ath_setpwrsave_state
> _ath_setslottime
> _ath_setup_stationkey
> _ath_shutdown
> _ath_start
> _ath_startrecv
> _ath_stop
> _ath_stop_locked
> _ath_stoprecv
> _ath_suspend
> _ath_sysctl_aggrfmax
> _ath_sysctl_aggrqmin
> _ath_sysctl_ath_CCAThreshold
> _ath_sysctl_athaddbaignore
> _ath_sysctl_athbadrxbuf
> _ath_sysctl_athbadrxdesc
> _ath_sysctl_athbgscan
> _ath_sysctl_athdupie
> _ath_sysctl_athforceBias
> _ath_sysctl_athforcebadrx
> _ath_sysctl_athpowermode
> _ath_sysctl_athppmupdate
> _ath_sysctl_athvendorie
> _ath_sysctl_debug
> _ath_tx_cleanup
> _ath_tx_cleanupq
> _ath_tx_cryptosetup
> _ath_tx_descsetup
> _ath_tx_draintxq
> _ath_tx_proc
> _ath_tx_start
> _ath_tx_stopdma
> _ath_txq_getprops
> _ath_txq_setup
> _ath_txq_update
> _ath_update_ppm
> _ath_update_ps_mode
> _ath_update_txpow
> _ath_updateslot
> _ath_vendorie
> _ath_wme_update
> _ath_xchanmode
> _atheros_setuptable
> _athpowermode
> _ieee80211_add_ath
> _ieee80211_parse_athparams
> _ieee80211_saveath
> _sysctl__debug_athdriver
> _sysctl__net_athCCAThreshold
> _sysctl__net_athaddbaignore
> _sysctl__net_athaggrfmax
> _sysctl__net_athaggrqmin
> _sysctl__net_athbadrxbuf
> _sysctl__net_athbadrxdesc
> _sysctl__net_athbgscan
> _sysctl__net_athdupie
> _sysctl__net_athforceBias
> _sysctl__net_athforcebadrx
> _sysctl__net_athpowermode
> _sysctl__net_athppmupdate
>
> Things possibly relating to monitor mode(grep monitor):
> __ZN16IO80211Interface22monitorModeInputPacketEP6__mbuf
> __ZN18AirPort_Athr5424ab10monitorDLTEP16IO80211Interface
> __ZN18AirPort_Athr5424ab21monitorModeSetEnabledEP16IO80211Interfaceb
> __ZN18AirPort_Athr5424ab25monitorPacketHeaderLengthEP16IO80211Interface
>
> Things having to do with start(grep start):
> _AirPort_Athr5424ab__serviceRestart
> __ZN18AirPort_Athr5424ab5startEP9IOService
> __ZN9IOService13startMatchingEm
> __ZN9IOService14startCandidateEPS_
> __ZN9IOService19start_PM_idle_timerEv
> __ZN9IOService5startEPS_
> __ZZN18AirPort_Athr5424ab5startEP9IOServiceE12__FUNCTION__
> __start
> _adhoc_start
> _ap_restart
> _ap_start
> _ar5212AniRestart
> _ath_scan_start
> _ath_start
> _ath_startrecv
> _ath_tx_start
> _ieee80211_start_scan
> _p_rx_buf_pool_phys_start
> _scan_restart
> _sta_restart
> _sta_start
> _tx99_start
>
>
>
>
>
Other related posts:
